Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-32887

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-26 Apr, 2024 | 21:02
Updated At-02 Aug, 2024 | 02:20
Rejected At-
Credits

Reflected XSS in sidekiq

Sidekiq is simple, efficient background processing for Ruby. Sidekiq is reflected XSS vulnerability. The value of substr parameter is reflected in the response without any encoding, allowing an attacker to inject Javascript code into the response of the application. An attacker could exploit it to target users of the Sidekiq Web UI. Moreover, if other applications are deployed on the same domain or website as Sidekiq, users of those applications could also be affected, leading to a broader scope of compromise. Potentially compromising their accounts, forcing the users to perform sensitive actions, stealing sensitive data, performing CORS attacks, defacement of the web application, etc. This issue has been patched in version 7.2.4.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:26 Apr, 2024 | 21:02
Updated At:02 Aug, 2024 | 02:20
Rejected At:
▼CVE Numbering Authority (CNA)
Reflected XSS in sidekiq

Sidekiq is simple, efficient background processing for Ruby. Sidekiq is reflected XSS vulnerability. The value of substr parameter is reflected in the response without any encoding, allowing an attacker to inject Javascript code into the response of the application. An attacker could exploit it to target users of the Sidekiq Web UI. Moreover, if other applications are deployed on the same domain or website as Sidekiq, users of those applications could also be affected, leading to a broader scope of compromise. Potentially compromising their accounts, forcing the users to perform sensitive actions, stealing sensitive data, performing CORS attacks, defacement of the web application, etc. This issue has been patched in version 7.2.4.

Affected Products
Vendor
sidekiq
Product
sidekiq
Versions
Affected
  • >= 7.2.0, < 7.2.4
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.15.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Version: 3.1
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/sidekiq/sidekiq/security/advisories/GHSA-q655-3pj8-9fxq
x_refsource_CONFIRM
https://github.com/sidekiq/sidekiq/commit/30786e082c70349ab27ffa9eccc42fb0c696164d
x_refsource_MISC
https://github.com/sidekiq/sidekiq/releases/tag/v7.2.4
x_refsource_MISC
Hyperlink: https://github.com/sidekiq/sidekiq/security/advisories/GHSA-q655-3pj8-9fxq
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/sidekiq/sidekiq/commit/30786e082c70349ab27ffa9eccc42fb0c696164d
Resource:
x_refsource_MISC
Hyperlink: https://github.com/sidekiq/sidekiq/releases/tag/v7.2.4
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
sidekiq
Product
sidekiq
CPEs
  • cpe:2.3:a:sidekiq:sidekiq:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 7.2.0
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/sidekiq/sidekiq/security/advisories/GHSA-q655-3pj8-9fxq
x_refsource_CONFIRM
x_transferred
https://github.com/sidekiq/sidekiq/commit/30786e082c70349ab27ffa9eccc42fb0c696164d
x_refsource_MISC
x_transferred
https://github.com/sidekiq/sidekiq/releases/tag/v7.2.4
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/sidekiq/sidekiq/security/advisories/GHSA-q655-3pj8-9fxq
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/sidekiq/sidekiq/commit/30786e082c70349ab27ffa9eccc42fb0c696164d
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/sidekiq/sidekiq/releases/tag/v7.2.4
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:26 Apr, 2024 | 21:15
Updated At:15 Apr, 2026 | 00:35

Sidekiq is simple, efficient background processing for Ruby. Sidekiq is reflected XSS vulnerability. The value of substr parameter is reflected in the response without any encoding, allowing an attacker to inject Javascript code into the response of the application. An attacker could exploit it to target users of the Sidekiq Web UI. Moreover, if other applications are deployed on the same domain or website as Sidekiq, users of those applications could also be affected, leading to a broader scope of compromise. Potentially compromising their accounts, forcing the users to perform sensitive actions, stealing sensitive data, performing CORS attacks, defacement of the web application, etc. This issue has been patched in version 7.2.4.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Type: Secondary
Version: 3.1
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-79Secondarysecurity-advisories@github.com
CWE ID: CWE-79
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/sidekiq/sidekiq/commit/30786e082c70349ab27ffa9eccc42fb0c696164dsecurity-advisories@github.com
N/A
https://github.com/sidekiq/sidekiq/releases/tag/v7.2.4security-advisories@github.com
N/A
https://github.com/sidekiq/sidekiq/security/advisories/GHSA-q655-3pj8-9fxqsecurity-advisories@github.com
N/A
https://github.com/sidekiq/sidekiq/commit/30786e082c70349ab27ffa9eccc42fb0c696164daf854a3a-2127-422b-91ae-364da2661108
N/A
https://github.com/sidekiq/sidekiq/releases/tag/v7.2.4af854a3a-2127-422b-91ae-364da2661108
N/A
https://github.com/sidekiq/sidekiq/security/advisories/GHSA-q655-3pj8-9fxqaf854a3a-2127-422b-91ae-364da2661108
N/A
Hyperlink: https://github.com/sidekiq/sidekiq/commit/30786e082c70349ab27ffa9eccc42fb0c696164d
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/sidekiq/sidekiq/releases/tag/v7.2.4
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/sidekiq/sidekiq/security/advisories/GHSA-q655-3pj8-9fxq
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/sidekiq/sidekiq/commit/30786e082c70349ab27ffa9eccc42fb0c696164d
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://github.com/sidekiq/sidekiq/releases/tag/v7.2.4
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://github.com/sidekiq/sidekiq/security/advisories/GHSA-q655-3pj8-9fxq
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

57Records found
CVE-2023-7054
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.5||MEDIUM
EPSS-0.14% / 34.09%
||
7 Day CHG~0.00%
Published-22 Dec, 2023 | 02:00
Updated-02 Aug, 2024 | 08:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Online Notes Sharing System add-notes.php unrestricted upload

A vulnerability was found in PHPGurukul Online Notes Sharing System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /user/add-notes.php. The manipulation leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-248741 was assigned to this vulnerability.

Action-Not Available
Vendor-PHPGurukul LLP
Product-online_notes_sharing_systemOnline Notes Sharing System
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-2001
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-5.5||MEDIUM
EPSS-0.09% / 24.94%
||
7 Day CHG~0.00%
Published-29 Feb, 2024 | 13:30
Updated-04 Mar, 2025 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting vulnerability in Cockpit CMS

A Cross-Site Scripting vulnerability in Cockpit CMS affecting version 2.7.0. This vulnerability could allow an authenticated user to upload an infected PDF file and store a malicious JavaScript payload to be executed when the file is uploaded.

Action-Not Available
Vendor-Cockpit CMSAgentejo
Product-cockpitCockpit CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-48248
Matching Score-4
Assigner-Robert Bosch GmbH
ShareView Details
Matching Score-4
Assigner-Robert Bosch GmbH
CVSS Score-5.5||MEDIUM
EPSS-0.14% / 33.73%
||
7 Day CHG~0.00%
Published-10 Jan, 2024 | 10:41
Updated-17 Jun, 2025 | 20:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The vulnerability allows an authenticated remote attacker to upload a malicious file to the SD card containing arbitrary client-side script code and obtain its execution inside a victim’s session via a crafted URL, HTTP request, or simply by waiting for the victim to view the poisoned file.

Action-Not Available
Vendor-Bosch Rexroth AGRobert Bosch GmbH
Product-nexo_cordless_nutrunner_nxa015s-36v_\(0608842001\)nexo-osnexo_cordless_nutrunner_nxa011s-36v_\(0608842011\)nexo_cordless_nutrunner_nxa065s-36v_\(0608842013\)nexo_special_cordless_nutrunner_\(0608pe2272\)nexo_cordless_nutrunner_nxa030s-36v-b_\(0608842007\)nexo_special_cordless_nutrunner_\(0608pe2673\)nexo_cordless_nutrunner_nxp012qd-36v-b_\(0608842010\)nexo_cordless_nutrunner_nxa011s-36v-b_\(0608842012\)nexo_special_cordless_nutrunner_\(0608pe2514\)nexo_cordless_nutrunner_nxv012t-36v-b_\(0608842016\)nexo_special_cordless_nutrunner_\(0608pe2301\)nexo_cordless_nutrunner_nxa065s-36v-b_\(0608842014\)nexo_cordless_nutrunner_nxa030s-36v_\(0608842002\)nexo_special_cordless_nutrunner_\(0608pe2666\)nexo_cordless_nutrunner_nxv012t-36v_\(0608842015\)nexo_special_cordless_nutrunner_\(0608pe2515\)nexo_cordless_nutrunner_nxa015s-36v-b_\(0608842006\)nexo_cordless_nutrunner_nxa050s-36v_\(0608842003\)nexo_cordless_nutrunner_nxa050s-36v-b_\(0608842008\)nexo_cordless_nutrunner_nxp012qd-36v_\(0608842005\)Nexo cordless nutrunner NXA011S-36V (0608842011)Nexo cordless nutrunner NXV012T-36V (0608842015)Nexo cordless nutrunner NXA011S-36V-B (0608842012)Nexo special cordless nutrunner (0608PE2301)Nexo cordless nutrunner NXA030S-36V-B (0608842007)Nexo special cordless nutrunner (0608PE2514)Nexo cordless nutrunner NXA015S-36V-B (0608842006)Nexo special cordless nutrunner (0608PE2272)Nexo cordless nutrunner NXA065S-36V (0608842013)Nexo cordless nutrunner NXA050S-36V (0608842003)Nexo cordless nutrunner NXA050S-36V-B (0608842008)Nexo special cordless nutrunner (0608PE2666)Nexo special cordless nutrunner (0608PE2673)Nexo cordless nutrunner NXA065S-36V-B (0608842014)Nexo special cordless nutrunner (0608PE2515)Nexo cordless nutrunner NXP012QD-36V-B (0608842010)Nexo cordless nutrunner NXP012QD-36V (0608842005)Nexo cordless nutrunner NXV012T-36V-B (0608842016)Nexo cordless nutrunner NXA015S-36V (0608842001)Nexo cordless nutrunner NXA030S-36V (0608842002)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-44748
Matching Score-4
Assigner-126858f1-1b65-4b74-81ca-7034f7f7723f
ShareView Details
Matching Score-4
Assigner-126858f1-1b65-4b74-81ca-7034f7f7723f
CVSS Score-5.5||MEDIUM
EPSS-0.27% / 50.56%
||
7 Day CHG~0.00%
Published-06 Mar, 2022 | 19:05
Updated-04 Aug, 2024 | 04:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Universal Cross-Site Scripting Vulnerability in F-Secure SAFE Browser for Android

A vulnerability affecting F-Secure SAFE browser was discovered whereby browsers loads images automatically this vulnerability can be exploited remotely by an attacker to execute the JavaScript can be used to trigger universal cross-site scripting through the browser. User interaction is required prior to exploitation, such as entering a malicious website to trigger the vulnerability.

Action-Not Available
Vendor-F-Secure Corporation
Product-safeF-Secure SAFE Browser for Android Version 18.5
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-35228
Matching Score-4
Assigner-SolarWinds
ShareView Details
Matching Score-4
Assigner-SolarWinds
CVSS Score-5.5||MEDIUM
EPSS-1.25% / 79.55%
||
7 Day CHG~0.00%
Published-21 Oct, 2021 | 17:43
Updated-16 Sep, 2024 | 23:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Reflected cross site scripting affecting SolarWinds: DPA 2021.3.7388

This vulnerability occurred due to missing input sanitization for one of the output fields that is extracted from headers on specific section of page causing a reflective cross site scripting attack. An attacker would need to perform a Man in the Middle attack in order to change header for a remote victim.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-database_performance_analyzerSolarWinds
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-24432
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-5.5||MEDIUM
EPSS-0.09% / 25.40%
||
7 Day CHG~0.00%
Published-09 Mar, 2022 | 15:34
Updated-16 Apr, 2025 | 16:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ICSA-22-062-01 IPCOMM ipDIO

Persistent cross-site scripting (XSS) in the web interface of ipDIO allows an authenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into specific fields. The XSS payload will be executed when a legitimate user attempts to upload, copy, download, or delete an existing configuration (Administrative Services).

Action-Not Available
Vendor-ipcommIPCOMM
Product-ipdio_firmwareipdioIPCOMM ipDIO
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-0719
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.23% / 45.24%
||
7 Day CHG~0.00%
Published-27 Nov, 2018 | 21:00
Updated-16 Sep, 2024 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Security Advisory for Vulnerabilities in QTS

Cross-site Scripting (XSS) vulnerability in NAS devices of QNAP Systems Inc. QTS allows attackers to inject javascript. This issue affects: QNAP Systems Inc. QTS version 4.2.6 and prior versions on build 20180711; version 4.3.3 and prior versions on build 20180725; version 4.3.4 and prior versions on build 20180710.

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qtsQTS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • Next
Details not found